Cisco ONS 15454 SDH Reference Manual, Release 4.0
Chapter 8, Security and Timing
Download this chapter
Chapter 8, Security and TimingChapter 8, Security and Timing
Download the complete book
Cisco ONS 15454 SDH Reference Manual, Release 4.0Cisco ONS 15454 SDH Reference Manual, Release 4.0 (PDF - 6 MB)
 Feedback

Table Of Contents

Security and Timing

8.1 Users and Security

8.2 Node Timing

8.2.1 Network Timing Example

8.2.2 Synchronization Status Messaging


Security and Timing

This chapter provides information about Cisco ONS 15454 SDH users and SDH timing. To provision security and timing, refer to the Cisco ONS 15454 SDH Procedure Guide.

Chapter topics include:

Users and Security

Node Timing

8.1 Users and Security

The CISCO15 ID is provided with the ONS 15454 SDH system, but this user ID is not prompted when you sign into CTC. This ID can be used to set up other ONS 15454 SDH users. (To do this, complete the "Create Users and Assign Security" procedure in the Cisco ONS 15454 SDH Procedure Guide.)

You can have up to 500 user IDs on one ONS 15454 SDH. Each Cisco Transport Controller (CTC) or TL1 user can be assigned one of the following security levels:

Retrieve—Users can retrieve and view CTC information but cannot set or modify parameters.

Maintenance—Users can access only the ONS 15454 SDH maintenance options.

Provisioning—Users can access provisioning and maintenance options.

Superusers—Users can perform all of the functions of the other security levels as well as set names, passwords, and security levels for other users.

Each created user ID can be active on a network element (NE) in a single or multiple occurrence. If you provision the user ID to be active in a single occurrence (in node view Provisioning > Security > Policy tabs, Single Session per User check box), this means that if one user is logged into an NE as CISCO15, no one else can log into that NE as CISCO15. The default setting is to allow multiple concurrent User ID sessions.

Table 8-1 shows the actions that each user privelege level can perform in node view.

Note You must add the same user name and password to each node the user will access.

Table 8-1 ONS 15454 SDH Security Levels—Node View 

CTC Tab
Subtab
Actions
Retrieve
Maintenance
Provisioning
Superuser

Alarms

Synchronize alarms

X

X

X

X

Conditions

Retrieve

X

X

X

X

History

Session

Read only

       
 

Node

Retrieve alarms/events

X

X

X

X

Circuits

Create/edit/delete/filter

   

X

X

   

Search

X

X

X

X

Provisioning

General

Edit

   

X

X

 

EtherBridge

Spanning trees: edit

   

X

X

   

Thresholds: Create/Delete

   

X

X

 

Network

All

     

X

 

Protection

Create/delete/edit

   

X

X

   

Browse groups

X

X

X

X

 

Ring

All (MS-SPRing)

   

X

X

 

Security

Create/delete/change

     

X

   

Change password

same user

same user

same user

all users

 

SNMP

Create/delete/edit

   

X

X

   

Browse trap destinations

X

X

X

X

 

SDH DCC/GCC

Create/delete/edit

   

X

X

 

Timing

Edit

   

X

X

 

Alarm Behavior

Edit

   

X

X

 

Defaults Editor

Edit

     

X

 

UCP

All

   

X

X

Inventory

Delete

     

X

   

Reset

     

X

Maintenance

Database

Backup/Restore

     

X

 

EtherBridge

MAC table retrieve

X

X

X

X

   

MAC table clear/clear all

 

X

X

X

   

Trunk utilization refresh

X

X

X

X

 

Protection

Switch/lock out operations

 

X

X

X

 

MS-SPRing

MS-SPRing maintenance

 

X

X

X

 

Software

Download/upgrade/ activate/revert

     

X

 

Cross-Connect

Protection switches

 

X

X

X

 

Overhead XConnect

Read only

       
 

Timing

Edit

 

X

X

X

 

Audit

Retrieve/archive

X

X

X

X

 

Routing Table

Read only

       
 

RIP Routing Table

Retrieve

X

X

X

X


A Superuser can perform ONS 15454 SDH user management tasks from the network or node (default login) view. In network view you can add, edit, or delete users from multiple nodes at one time. If you perform user management tasks in node view you can only add, edit, or delete users from that node.

Each ONS 15454 SDH CTC or TL1 user can be idle during his or her login session for a specified amount of time before the CTC window is locked. The lockouts prevent unauthorized users from making changes. Higher-level users have shorter default idle periods and lower-level users have longer or unlimited default idle periods, as shown in Table 8-2. The user idle period can be modified by a Superuser while completing the "Modify Users and Change Security" procedure in the Cisco ONS 15454 SDH Procedure Guide.

Table 8-2 ONS 15454 SDH Default User Idle Times 

Security Level
Idle Time

Superuser

15 minutes

Provisioning

30 minutes

Maintenance

60 minutes

Retrieve

Unlimited


Further ONS 15454 SDH security features for with passwords and logins are:

Password expiration and reuse settingsSuperusers can provision password reuse periods and reuse intervals (the number of passwords that must be generated before a password can be reused).

Login visibility—Superusers can view real-time lists of users who are logged into CTC or TL1 user logins by node by retrieving the list of logins by node.

Invalid login attempts—Superusers can define the quantity of invalid login attempts a user can make before his ID is locked out.

Privelege change—Superusers can initiate privelege changes for other users while the user is logged in. The changes will be propagated to all nodes within the network and they become effective the next time the user logs in.

The ONS 15454 SDH maintains a 640-entry, human-readable audit trail of user actions such as login, logout, circuit creation or deletion, etc. You can offload the log to a local or network drive for later review. The ONS 15454 SDH generates an event to indicate when the when the log is 80% full, and another event to indicate that the oldest log entries are being overwritten.

8.2 Node Timing

SDH timing parameters must be set for each ONS 15454 SDH. Each ONS 15454 SDH independently accepts its timing reference from one of three sources:

The BITS (Building Integrated Timing Supply) pins on the ONS 15454 SDH MIC-C/T/P coaxial connectors.

An STM-N card installed in the ONS 15454 SDH. The card is connected to a node that receives timing through a BITS source.

The internal ST3 clock on the TCC2 card.

You can set ONS 15454 SDH timing to one of three modes: external, line, or mixed. If timing is coming from the BITS connector, set ONS 15454 SDH timing to external. If the timing comes from an STM-N card, set the timing to line. In typical ONS 15454 SDH networks:

One node is set to external. The external node derives its timing from a BITS source wired to the BITS MIC-C/T/P coaxial connectors. The BITS source, in turn, derives its timing from a Primary Reference Source (PRS) such as a Stratum 1 clock or GPS signal.

The other nodes are set to line. The line nodes derive timing from the externally-timed node through the STM-N trunk (span) cards.

You can set three timing references for each ONS 15454 SDH. The first two references are typically two BITS-level sources, or two line-level sources optically connected to a node with a BITS source. The third reference is the internal clock provided on every ONS 15454 SDH TCC2 card. This clock is a Stratum 3 (ST3). If an ONS 15454 SDH becomes isolated, timing is maintained at the ST3 level.

Caution Mixed timing allows you to select both external and line timing sources. However, Cisco does not recommend its use because it can create timing loops. Use this mode with caution.

8.2.1 Network Timing Example

Figure 8-1 shows an ONS 15454 SDH network timing setup example. Node 1 is set to external timing. Two timing references are set to BITS. These are Stratum 1 timing sources wired to the BITS MIC-C/T/P coaxial connectors on Node 1. The third reference is set to internal clock. The BITS outputs on Node 3 are used to provide timing to outside equipment, such as a Digital Access Line Access Multiplexer.

In the example, Slots 5 and 6 contain the trunk (span) cards. Timing at Nodes 2, 3, and 4 is set to line, and the timing references are set to the trunk cards based on distance from the BITS source. Reference 1 is set to the trunk card closest to the BITS source. At Node 2, Reference 1 is Slot 5 because it is connected to Node 1. At Node 4, Reference 1 is set to Slot 6 because it is connected to Node 1. At Node 3, Reference 1 could be either trunk card because they are equal distance from Node 1.

Figure 8-1 ONS 15454 SDH Timing Example

8.2.2 Synchronization Status Messaging

Synchronization Status Messaging (SSM) is an SDH protocol that communicates information about the quality of the timing source. SSM messages are carried on the S1 byte of the SDH section overhead. They enable SDH devices to automatically select the highest quality timing reference and to avoid timing loops.

SSM messages are either Generation 1 or Generation 2. Generation 1 is the first and most widely deployed SSM message set. Generation 2 is a newer version. If you enable SSM for the ONS 15454 SDH, consult your timing reference documentation to determine which message set to use. Table 8-3 shows the SDH message set.

Table 8-3 SDH SSM Message Set 

Message
Quality
Description

G811

1

Primary Reference Clock

STU

2

Sync traceability unknown

G812T

3

Transit Node Clock Traceable

G812L

4

Local Node Clock Traceable

SETS

5

Synchronous Equipment

DUS

6

Do not use for timing synchronization